Automattic, the company behind the popular WordPress content management system, has issued a warning about a serious vulnerability in a popular plug-in.
The FancyBox plugin is a popular plugin used to display images, HTML content and video clips in a ‘lightbox’ that floats above websites. However, a bug in older versions of the plugin can allow hackers to inject malicious code into a website.
The issue came to light on a WordPress support forum last week, when several users complained their websites had been infected with malware and the plugin quickly emerged as a common thread. Some complained the malware had also compromised their sites’ database.
“I have also got [malware content] on my site. I got a [sic] the dreaded email from Google saying my site has malware infected on it. I am currently in contact with [my web hosting company]. They are currently scanning my site for malicious code,” one user said.
After the issue came to light, the developer of the plugin issued a patch as part of a new version, 3.0.4. Website owners using a version older than this are urged to update it immediately.
In recent versions of WordPress, the plugin can be updated from the WordPress dashboard by scrolling down to the “Plugins” section, selecting the “Fancybox-for-WordPress” plugin from the list, and clicking the “Update Plugins” button.